In May 2024, both the European Commission and Microsoft sued the European Data Protection Supervisor (EDPS) before the Court of Justice of the European Union (CJEU).

This marks the latest chapter in an ongoing debate on how European businesses can unite the use of standardized cloud services with the GDPR.

Read on to get my perspectives on a case that could change the way businesses use cloud services:

• A summary of the key points of no return that have led us here
• The contentious issues underlying the litigation
• An indication of what your organization should be aware of in the coming months.

Most of us use cloud providers based in the US

Cloud services are an indispensable tool for those who want to run a modern business. Small and medium-sized businesses alike rely on cloud-based solutions to stay innovative and competitive.

The provider typically offers these services via a subscription with the added benefit that the provider handles all security updates and patches centrally.

However, this division of roles leads to a certain loss of control for the customer – especially when it comes to the processing of personal data in the cloud.

Figures from 2022 show that service providers such as Amazon, Microsoft, and Google held 72% of the European cloud market.

European providers only had 15%.

This taps into and confirms a general trend:

Most cloud giants are headquartered in the US.

As a result of this trend, the widespread use of their services has created a greater need for effective mechanisms to transfer and protect personal data outside the EU.

Transfers outside the EU: What’s up and down?

Non-EU countries are known as ‘third countries’ under the General Data Protection Regulation (GDPR).

Since its entry into force in 2018, the GDPR has introduced a high, consistent level of protection for EU citizens’ personal data.

A key set of obligations is outlined in Chapter V of the GDPR.

The chapter takes you through different transfer mechanisms. They’re designed to ensure that the EU’s level of data protection isn’t compromised when a company or authority transfers personal data to third countries.

Even to countries that don’t offer the same protection as the EU.

One such mechanism for transferring data is relying on adequacy decisions:

It’s basically about the European Commission leaning on Article 45 of the GDPR and giving the green light to do the transfer.

These decisions stem from thorough analyses of third-country jurisdictions conducted by the Commission. Adequacy decisions designate a jurisdiction as a 2safe third country.”

This means that the local privacy laws provide an adequate level of protection for EU personal data.

In the absence of adequacy decisions, EU data can only be transferred to so-called ‘non-safe third countries’ if the parties involved in the transfer ensure an adequate level of protection through a private contract.

In practice, it’s the European Commission’s Standard Contractual Clauses (SCC) under Article 46(2) that are used as the transfer mechanism by most businesses.

SCCs are pre-approved templates made by the Commission that include provisions outlining specific data protection measures that the parties commit to uphold.

This way, the parties ensure sufficient protection through a private legal framework when they adopt SCCs between themselves.

In theory, this approach seems effective in ensuring data protection across global borders.

But in practice?

SCCs are not an easy-peasy solution in practice.

Schrems II and ‘the zero-tolerance approach’

SCCs were at the center of the CJEU’s ruling in the Schrems II case. It revolved around US authorities’ access to data processed by Facebook – which we now know as Meta.

The landmark judgment showed the interplay between EU and third countries’ national legislation, particularly concerning government surveillance programs.

Following the Schrems II ruling, the European Data Protection Board (EDPB) and national data protection authorities in Europe have issued guidelines that adopt a restrictive stance on data transfers to non-safe third countries.

Some see this approach as a “zero tolerance” interpretation of Chapter V of the regulation.

It compels European data controllers and data processors to eliminate any theoretical risk of third-country authorities accessing EU citizens’ data. And that only leads to documentation requirements that are even harder to manage.

If you’ve ever dealt with a Transfer Impact Assessment (TIA) you know that assessing foreign jurisdictions is tricky.

This is especially the case for European SMEs that lack the resources to handle such tasks.

And then, yet…

Critics of the zero-tolerance approach believe that this strict interpretation is not in line with EU law.

In fact, Recital 4 of the GDPR preamble itself clearly states that the right to data protection isn’t “absolute.”

It’s meant to be viewed in the broader context of society and should be balanced against other fundamental rights. All this is in line with the principle of proportionality at the base of all EU law.

When interpretations clash: The Microsoft 365 case

After the Schrems II ruling, the EDPB, EDPS, and several national data protection authorities began delving into how European companies and institutions use data processors.

Specifically, they focused on those based outside the EU or with parent companies located outside the EU.

One such investigation done by the EDPS focused on the Commission’s use of Microsoft 365. It lasted three years, culminating in the publication of a detailed 180-page decision in March 2024.

The EDPS found that the Commission violated the EUDPR in three key areas. For that reason, they ordered the Commission to comply with the following issues by December 9, 2024:

Issue 1) Ensure limitation of purpose

The data protection law principle of purpose limitation requires that a controller only processes data for explicitly stated purposes.

Although the Commission’s agreement with Microsoft had such an instruction, the EDPS considered that the types of personal data and processing purposes specified were not clearly defined and limited to specific purposes.

Similarly, the description of the types of personal data Microsoft was allowed to process was too imprecise.

Therefore, the EDPS concluded that the Commission could not get a sufficient overview of the types of personal data processed and the actual processing purposes.

For this reason, the EDPS considered that the Commission couldn’t monitor whether Microsoft was processing personal data within the agreed framework – and thus whether the processing was lawful.

Issue 2) Ensure adequate security measures for international transfers

The Commission didn’t precisely describe which personal data Microsoft could transfer to which recipients outside the EU/EEA.

As mentioned in issue 1: To ensure the lawfulness of processing activities, it’s a prerequisite that data controllers know the scope of which data is processed in which ways (and where).

The EDPS concluded that the Commission hadn’t mapped international data transfers accurately enough to be able to ensure that these transfers were also carried out with adequate security.

For this reason, the EDPS also found that the Commission wasn’t able to decide whether they should provide additional measures for the transfers.

Nor did they ensure that adequate safeguards were in place for this reason.

Although the Commission had arranged SCCs with Microsoft, the Commission had neither risk assessed nor mapped the transfers of personal data.

Issue 3) Prevent unauthorized disclosures

The Commission didn’t ensure that Microsoft only notified them of personal data requests when required by EU or Member State law.

Also, they hadn’t assessed the data protection laws of third countries where data might be transferred.

This left potential gaps in preventing unauthorized disclosures.

Although the EDPS’ decision is based on a law that applies only to EU institutions. It’s a regulatory authority that only supervises the institutions that enforce the law.

However, the situation is a strong indicator of the challenges many EU businesses face when using cloud services.

The 365-million-dollar question: What can we expect from the 'appeal'?

As of May 2024, the Commission — and since Microsoft — have brought the EDPS decision before the CJEU.

That makes this case particularly interesting to follow.

Businesses using cloud services will be eagerly awaiting the CJEU’s perspective on several key issues that many are currently grappling with. Among others:

#1: When does using a cloud-based tool become a third-party transfer?

It has been a recurring question:

“What actually makes up a transfer to third countries?”

This is especially the case when discussing cloud services as they’re typically hosted by corporations with US headquarters.

These services are complex and involve multiple types of data flows. A key concern arises when service-generated data — data created by the service itself — is transferred from EU servers to the US parent company to enhance the service.

A key issue in the case is how much detail the data controller needs to document in this regard:

How closely should data flows be mapped and monitored?

While service-generated data is seen as personal data, it is worth remembering that this is data that indirectly reflects the individual user’s technical use of an IT system.

In other words, service-generated data seems to have a less direct link to the integrity of the data subject compared to other types of data protected by the GDPR.

In my opinion, authorities like the EDPS should take this into account when defining the responsibilities of data controllers in practice.

#2: How precisely should the personal data and purposes of processing be described in a data processing agreement?

We expect the CJEU to address a key question:

How detailed and precise must a controller’s instructions in a data processing agreement describe the type of personal data the processor may process?

In the CJEU’s answer to this question, we can hopefully expect some clarifications on the scope of the accountability principle. Similarly, we hope to deepen our understanding of the extent to which data controllers must give detailed instructions to their data processors at the time of contract.

As legal scholars have rightly pointed out, the EDPS’s requirement for highly granular processing instructions seems at odds with the concept of outsourcing services to a cloud provider.

If a service is outsourced, why must data controllers retain in-house expertise to provide highly detailed processing instructions?

From a business standpoint, the requirement of keeping internal experts with deep knowledge of Microsoft’s systems seems to defeat the purpose of outsourcing these functions.

In a similar vein, we may also gain clearer insights into the expectations for data controllers when it comes to conducting transfer risk assessments.

Scholars have argued that the exporter – rather than the data controller – is better able to do risk assessments in the regions where they operate.

To make this approach feasible, there should be clear, practical guidelines in place to support and streamline the process.

We also hope to see the CJEU address the EDPB and EDPS’s current requirement that foreign legal systems must be essentially equivalent to European law.

This stance has been rightly criticized for disregarding the sovereignty of other nations to establish their own legal frameworks and data transfer rules.

The CJEU’s ruling could have major practical consequences for how the contractual relationship between data controllers and cloud providers will look in the future.

#3: What role does the general EU principle of proportionality play when data protection authorities make decisions with fatal consequences for European businesses?

The EDPS’s requirement for the Commission to bring all data processing activities into compliance with the EDPS decision by December 9 is a significant interference in the institution’s operations.

The EU principle of proportionality plays a crucial role in ensuring that data protection regulations strike a fair balance between safeguarding personal data and supporting practical business operations.

When authorities impose strict requirements – such as documentation for every potential data transfer, even for service-generated data — they risk creating burdens that outweigh the actual privacy risks.

This raises important questions:

Are these expectations realistic and aligned with the purpose of outsourcing to secure, reputable providers, or are they creating disproportional obstacles for businesses?

As we know from the preamble of the GDPR, the right to data protection is not absolute.

Proportionality should guide decisions to ensure that data protection measures are effective without stifling innovation or competitiveness in European businesses and organizations.

As it stands, the enforcement of Chapter V leaves entities that rely on cloud services grappling with legal uncertainty and evidentiary challenges that could unnecessarily hinder their operations.

While U.S. lawmakers may be warming up to the idea of enacting legislation somewhat similar to the GDPR, it’ll be interesting to hear the CJEU’s perspective on how European businesses should navigate the complexities of global data flows in the current regulatory environment.

We look forward to clarification from the CJEU on how the principle of proportionality should be applied when enforcing data protection rules.

No matter how it ends, this case on cloud – and how it has turned into a thundercloud – is one of many cases from practice that help us understand how to comply with the GDPR.

If you want to dive into more international GDPR cases, feel free to get our EU GDPR Casebook 2023 here.  

‍